Digital Operational Resilience Act (DORA)

What is DORA?

The Digital Operational Resilience Act (DORA) is a European Union regulation that sets binding requirements for how financial entities must manage and withstand information and communication technology (ICT) risks. It applies to a wide range of organizations, including banks, investment firms, insurance companies, and critical third-party ICT service providers.

DORA establishes a unified framework for ICT risk management, incident response, testing, and oversight of third-party providers. It shifts the regulatory focus from financial risk to operational resilience, requiring firms to demonstrate their ability to prevent, withstand, and recover from ICT-related disruptions.

Compliance has been mandatory since January 17, 2025. Financial institutions must document their ICT risk posture, secure their supply chain, and continuously improve their resilience through automated controls and testing.

Need to strengthen ICT resilience in line with DORA? See how Tufin helps financial institutions control access, mitigate risk, and prepare for operational audits. Request a Demo!

DORA Requirements

DORA is organized into five pillars. Each pillar contains mandatory practices to improve operational resilience across financial services and their technology providers. Tufin supports the enforcement of security policies and change governance that map to several of these requirements.

ICT Risk Management

Organizations must establish a complete ICT risk management framework. This includes identifying assets, assessing risks, enforcing preventive controls, and ensuring that changes to the environment do not compromise resilience.

Incident Detection and Reporting

Firms must monitor ICT systems for anomalous behavior and report significant incidents to regulators. This requires the ability to detect unauthorized changes or access paths in real time.

Digital Operational Resilience Testing

Institutions must perform regular resilience testing. This includes scenario-based exercises and penetration testing to evaluate the effectiveness of technical controls and response capabilities.

Third-Party Risk Management

Financial entities must manage the security of their ICT supply chain. This includes evaluating, documenting, and controlling how third-party providers connect to internal systems.

Information Sharing

Firms are encouraged to collaborate on cybersecurity intelligence and share information that can improve collective defense. This includes documenting exposure, response, and lessons learned.

Tufin and DORA Compliance

With Tufin, you can manage network access controls that comply with DORA requirements. You can define network segmentation to inform network compliance policies, simulate risks before access policy changes occur, and document all access control policy changes that may impact ICT systems.

Map and secure your ICT infrastructure

Tufin generates a global topology map of your hybrid network. You can use topology to analyze inter-connected systems, identify access paths, and evaluate risky configurations. You can define network segmentation guidelines using Tufin Zones and Unified Security Policy. By documenting policies that block all traffic except for clearly defined applications, groups, and services, This way, you can maintain least-privilege access across the network, and comply with DORA risk management guidelines.

Monitor and validate changes to reduce incident risk

Tufin continuously monitors your firewall configurations for compliance violations. If a rule is added or modified that contradicts the Unified Security Policy or meets certain risk criteria, a Tufin administrator can be alerted of the change.

Simulate remediation and validate test outcomes

When using Tufin, every policy modification is evaluated for compliance against your Unified Security policy as well as other risk factors. You can build the workflow to identify whether the change is overly permissive or might expose a vulnerable asset to an untrusted network. Once approved, every policy modification is documented in a comprehensive audit trail indicating who made the change, in addition to when and why they made the change.

Restrict and monitor third-party access

Tufin lets you define what other assets or subnets in the network third-party providers should be permitted to access. You can group access by provider and enforce strict limitations on what endpoints are reachable. This ensures vendor access does not compromise operational resilience.

Maintain a continuous state of audit readiness

Tufin captures a complete history of your access control policies. You can generate reports on segmentation, risk simulation, and change history to support DORA oversight.